Moxa released a new version to mitigate hardcoded credentials and authentication bypass vulnerabilities in its OnCell Central Manager Software, according to a report on ICS-CERT.
These remotely exploitable vulnerabilities ended up reported to HP’s Zero Day Initiative (ZDI) by security researcher Andrea Micalizzi.
OnCell Central Manager Software prior to version 2.2 suffer from the issues.
Successful exploitation of these vulnerabilities could allow an attacker to bypass the authentication mechanisms and perform remote code execution.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.
The affected product, OnCell Central Manager, is a central management software that allows configuration, management, and monitoring of remote devices.
OnCell Central Manager sees action across several sectors, including commercial facilities, critical manufacturing, energy, and transportation systems. Moxa estimates these products see use primarily in the United States and Europe with a small percentage in Asia.
As far as the use of hard-coded credentials goes, the affected products contain a hard-coded root account with full privilege access.
CVE-2015-6481 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.
In the authentication bypass vulnerability, the affected products contain a vulnerable servlet that could bypass the authentication mechanism.
CVE-2015-6480 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Moxa released OnCell Central Manager, Version 2.2, to mitigate these vulnerabilities. Moxa recommends upgrading to Version 2.2.